This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Trying to grasp how everything works and it is slowly sinking in. I have a Hybrid Azure AD Autopilot set up in my comanaged environment. My fresh test pc's run the get-windowsautopilotinfo script and enroll and kick off autopilot just fine. My endpoint gets Hybrid Domain joined, the 2 required apps install and the rest of the apps I have designated for my hybrid security group install afterwards. Eventually the SCCM client installs. I am not seeing BitLocker kick off until after the collection is updated in SCCM. I was hoping to encrypt it during the Hybrid Autopilot step. Here are some other details:
Cloud Attach is set up as follows:
Configure upload tab - Upload all devices managed by MECM and enable Endpoint Analytics
Enablement - Automatic enrollment in Intune - All
Workloads - all are set to Pilot Intune (hoping to move some to Intune soon)
Any direction will be helpful. please and thank you!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Matt Dillon , From your description, it seems you use Autopilot Hybrid Azure AD enrollment and co-management. In Fact, there are two enrollment methods. You can choose one of them to do the enrollment.
https://learn.microsoft.com/en-us/mem/intune/enrollment/device-enrollment#windows-enrollment-methods
For co-management, there are two paths to do the enrollment. One is for existing Configuration Manager device. The other is for Internet device with first enrolled into Intune. Here is a link with more details for your reference:
https://learn.microsoft.com/en-us/mem/configmgr/comanage/quickstart-paths
Based on my research, there is a new technology to put Autopilot into co-management. But currently, Hybrid Azure AD-joined devices is not supported.
https://learn.microsoft.com/en-us/managed-desktop/get-started/autopilot-co-management
Meanwhile, I notice you want to know if BitLocker can enable during Autopilot enrollment. During Windows Autopilot Enrollment Status page, it will install some applications and applied some profiles.
https://learn.microsoft.com/en-us/mem/autopilot/enrollment-status
For BitLocker, in Windows 10 1809 and above, it will wait to begin encrypting until the end of OOBE, after the ESP device configuration phase has completed. Here is a link with more details:
https://oofhours.com/2019/08/26/bitlocker-esp-and-windows-autopilot-working-in-harmony/
Note: Non-Microsoft link, just for your reference.
To enable BitLocker for windows device with Microsoft Intune, we can configure "Endpoint security disk encryption policy" or "Device configuration profile for endpoint protection". Here is a link with more details for your reference:
https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices
For your scenario, I suggest choosing only one method to do the enrollment to avoid any issue. Then try to deploy BitLocker policy via Intune. Check the policy to see if is applied to the device successfully. If not, we can follow the following links to do the troubleshooting:
https://learn.microsoft.com/en-us/troubleshoot/mem/intune/troubleshoot-bitlocker-policies
https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-troubleshooting-bitlocker-policies-in-microsoft/ba-p/863670
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Matt Dillon , Hope things are going well. I am writing to see if there's anything else we can help. If yes, feel free to let us know.